Monitoring Splunk

TrackMe - insert hosts into trackme_host_monitoring?

jbuxton
Explorer

Can anyone offer any guidance on what fields would be considered 'required' for inserting a record into the TrackMe 'trackme_host_monitoring' lookup, and if any other supporting lookups would require insert/updates as well?

We have been tasked with host monitoring, and have implemented TrackMe for a few indexes so far.

Our manager wants us to check the TrackMe host activity against a 'source of truth'. For example, our Azure team uses a script to generate a list of all Azure hosts every night at midnight. We're monitoring that list and ingesting it into an index, after which we update a lookup table with the values we need.

We figure that we can run a report each day that compares a list of hosts (in this case, Azure VMs, but this could apply to firewalls, etc.) from our 'source of truth' against the hosts present in TrackMe's trackme_host_monitoring lookup.

The devil is in the details, but at the end of the day we figure we could insert the host into the TrackMe lookup if it wasn't present there. Any advice appreciated.

Labels (1)
Tags (1)
0 Karma
Get Updates on the Splunk Community!

Technical Workshop Series: Splunk Data Management and SPL2 | Register here!

Hey, Splunk Community! Ready to take your data management skills to the next level? Join us for a 3-part ...

Spotting Financial Fraud in the Haystack: A Guide to Behavioral Analytics with Splunk

In today's digital financial ecosystem, security teams face an unprecedented challenge. The sheer volume of ...

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability As businesses scale ...